QUIC (“Quick UDP Internet Connections”)

The big idea

QUIC (“Quick UDP Internet Connections”) is a secure, stream-multiplexed transport protocol that sits on top of UDP and folds together—in one design—the work normally done by TCP, TLS 1.3, and HTTP/2’s multiplexing layer. You do not need to understand QUIC for the IB.
Because encryption starts with the very first byte, and the handshake normally finishes in 1 RTT (0 RTT when resuming), applications see faster start-up, no cross-stream head-of-line blocking, and the ability to keep a connection alive while the client roams between networks. (RFC Editor, IETF Datatracker)

1 Historical context

2012 – 2018 Google’s experiment inside Chrome and its servers proves the concept and feeds experience back to the IETF. (Wikipedia)
May 2021 Version 1 becomes an Internet Standard (RFC 9000, RFC 9001 — TLS binding, RFC 9002 — loss & congestion control). (RFC Editor)
June 2022 HTTP/3 (RFC 9114) defines how QUIC replaces TCP in the web stack. (RFC Editor)
May 2023 Version 2 (RFC 9369) is published to exercise the version-negotiation framework and prevent middle-box ossification. (RFC Editor)
Today (May 2025) ~8.5 % of all public sites speak QUIC directly, and HTTP/3 already carries about 30 % of global HTTP traffic. (W3Techs, BC Satellite)

2 Architecture at a glance

Design element	Purpose	Key details
UDP encapsulation	Traverses NAT and firewalls that already allow UDP; user-space implementations avoid kernel changes.
Long & short headers	Long headers appear only during handshake; short headers minimise overhead for established traffic.
Connection IDs (CIDs)	64-bit opaque values make packets routable even when the 5-tuple changes, enabling connection migration and stateless load-balancing. (IETF Datatracker, IETF Datatracker)
Streams & flow control	Independent, ordered byte-streams share one congestion-controlled connection. Stream-level flow-control prevents head-of-line blocking between streams.
TLS 1.3 inside QUIC	QUIC carries the TLS handshake in encrypted frames, so security is built-in, not layered.
Loss detection & congestion control	Borrowed from TCP but tuned for QUIC’s packet numbers and always-encrypted headers (RFC 9002).
Extension points	Packet types, frames, transport parameters, versions—all explicitly designed for evolution.

3 Handshake and security

ClientHello is placed in an Initial packet protected with an AEAD using a version-specific salt.
The server replies with its own Initial plus Handshake packets containing EncryptedExtensions, Certificate, etc.
After 1 RTT both sides hold application keys and switch to short headers; resumption tickets enable 0 RTT on future connections.
Because the TLS exchange is inside QUIC, there is only one handshake instead of the TCP + TLS two-step. (RFC Editor)

4 Performance features

Feature	Practical benefit
1 RTT / 0 RTT setup (round trip time)	Eliminates the full 3-way TCP handshake plus TLS round-trips.
No cross-stream HoL blocking	A lost packet stalls only its own stream, not every HTTP request in the connection.
Connection migration	Walking out of Wi-Fi range and onto 5G merely changes the 5-tuple; CIDs keep the session alive. (IETF Datatracker)
Pluggable congestion control	Cubic, BBR, or any future algorithm can run in user space; QUIC v1 libraries commonly default to Cubic or BBR.
Encryption by default	Middle-boxes cannot snoop sequence numbers, improving privacy and reducing ossification risk.

5 Important extensions and drafts

RFC / Draft	What it adds	Status (May 2025)
RFC 9221 – Datagram Extension	Unreliable QUIC frames to carry media or gaming traffic side-by-side with reliable streams. (IETF Datatracker)	Proposed Standard
RFC 9369 – QUIC v2	Alternate wire version to prove that upgrade paths work and to fight hard-coded middle-box rules. (RFC Editor)	Standards Track
draft-ietf-quic-multipath-11	Multiple concurrent paths per connection (e.g., Wi-Fi + 5G aggregation). (IETF Datatracker)	WG draft
MASQUE (Multiplexed Application Substrate over QUIC Encryption)	Efficient UDP/TCP tunnelling over HTTP/3—foundation for VPN-like services. (The Cloudflare Blog)	WG drafts
QUIC-LB	Encodes routing info into server-chosen CIDs so stateless L4 load balancers can direct traffic after migration. (IETF Datatracker)	WG draft
RFC 9250 – DNS-over-QUIC (DoQ)	Confidential DNS with better latency than DoT. (RFC Editor)	Standards Track

6 Ecosystem & implementations

All major browsers (Chrome, Edge, Firefox, Safari) and CDNs (Google Front-End, Cloudflare, Akamai, Fastly) ship production QUIC/HTTP-3 stacks.
Popular open-source libraries include quiche (Rust), ngtcp2 (C), quic-go (Go) and msquic (C). (BC Satellite)

7 Operational considerations

Observability: packet numbers and most headers are encrypted, so passive middle-boxes lose visibility; RFC 9312 gives guidance. (RFC Editor)
Load balancing: use CID-aware devices or QUIC-LB to maintain affinity after connection migration.
UDP treatment: some enterprise networks still rate-limit or block UDP; fallback to TCP+TLS is therefore essential for public services.

8 Limitations and challenges

State amplification attacks require servers to validate client IPs before committing resources.
Path MTU discovery is harder because QUIC packets cannot be fragmented; servers rely on PMTUD or conservative sizing.
UDP ossification—networks that assume UDP is “stateless and best-effort” may mishandle long-lived, high-rate QUIC flows.

9 Future outlook

With HTTP/3 widely deployed and extensions such as MASQUE and Multipath nearing completion, QUIC is rapidly becoming a multi-purpose substrate for web, real-time media, gaming, and privacy tunnels. The version-negotiation framework proven by QUIC v2 ensures that entirely new security primitives or congestion algorithms can ship without another decades-long migration.

In one sentence: QUIC turns the Internet’s classic “TCP + TLS + HTTP/2” three-layer cake into a single, evolvable protocol that delivers lower latency, better mobility support, and built-in security—exactly the qualities modern applications and mobile users demand.